Jump to content

When showing user admin page - Password Question


shaggycap

Recommended Posts

I'm building a user admin section on my CMS, and have a page showing the details of a user that you can edit.

I can't just display the password field as its an MD5 hash, so what would be the best approach here? Obviously I can't decode it so I wondered how you dealt with something like this?
Link to comment
Share on other sites

[quote author=steelmanronald06 link=topic=117581.msg480844#msg480844 date=1165538527]
Or just not MD5 your password, which is highly ill advised.
[/quote]
I suspect this might be some sort of twisted sarcasm, but if it isn't, would you care to explain why it's a good idea to store passwords in plain text?
Link to comment
Share on other sites

[quote author=Albright link=topic=117581.msg485135#msg485135 date=1166141029]
[quote author=steelmanronald06 link=topic=117581.msg480844#msg480844 date=1165538527]
Or just not MD5 your password, which is highly ill advised.
[/quote]
I suspect this might be some sort of twisted sarcasm, but if it isn't, would you care to explain why it's a good idea to store passwords in plain text?
[/quote]He said that it was ill advised, meaning he's saying its a bad thing to do.
Link to comment
Share on other sites

[quote author=Daniel0 link=topic=117581.msg485297#msg485297 date=1166166677]
Take a look at [url=http://php.net/mcrypt]mcrypt[/url]
[/quote]

Mcrypt has decryptable algorithms, not hashes. For passwords use hashes.

http://nl2.php.net/manual/en/ref.hash.php
Link to comment
Share on other sites

not necessarily..
[code]<?php

if (sha1($password . $salt) !== $passwordFromDB)
{
    if (md5($password . $salt) !== $passwordFromDB)
    {
        die('password incorrect');
    }
    else
    {
        $passwordFromDB = sha1($password . $salt);
    }
}

echo 'Welcome';

?>[/code]

edit: removed false-false.
Link to comment
Share on other sites

I think you want to remove those ! from before sha1 or md5, but yeah, that should work; just transparently re-hash the password if the old hash algorithm shows that it is correct.

One thing to keep in mind is that md5() creates a string of 32 characters, and sha1() creates 40 characters. If you've set up the password field in your database to only hold 32 characters, you should modify it first to fit all 40 characters that a sha1() call will give you.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.